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1 . A computing apparatus comprising: 
a trusted hardware module (120); 
a plurality of further hardware modules (102,104,106); 

a shared communication infrastructure (110) by which the modules can 
5 communicate with each other; and 

a first communication path (122a; 122b; 122c), distinct from the communication 
infrastructure, by which a first one (102;104;106) of the further modules can 
communicate directly with the trusted module but cannot communicate directly with any 
other of the further modules. 

10 2. An apparatus as claimed in claim 1, wherein the trusted module and the first 
further module each include a respective computing engine which partakes in the direct 
communication via the first communication path. 

3. An apparatus as claimed in claim 1 or 2, wherein: 

the first further module (102) is operable to supply to the trusted module a 
15 request (156) for operation on data; and 

in response to such a request, the trusted module is operable to generate a 
response (158) and to supply the response to the first further module via the first 
communication path (122a) and not via the shared communication infrastructure. 

4. An apparatus as claimed in claim 3, wherein the trusted module includes means 
20 (132) for storing policy information regarding such operations which can and/or cannot 

be permitted, and is operable to generate the response with reference to the policy 
information. 



5. An apparatus as claimed in any preceding claim, wherein the trusted module is 
operable to generate an encryption and/or decryption key and to supply that key to the 
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first further module via the first communication path and not via the shared 
communication infrastructure. 

6. An apparatus as claimed in claim 5, wherein the first further module is operable to 
use the key for encryption and/or decryption of data communicated via the shared 

5 communication infrastructure. 

7. An apparatus as claimed in any preceding claim, wherein the trusted module is 
operable to generate a challenge (142) and to supply the challenge to the first further 
module via the first communication path or via the shared communication infrastructure 
using encryption set up using the first communication path. 

10 8. An apparatus as claimed in claim 7, wherein: 

in response to the challenge, the first further module is operable to generate a 

response (144a,144b,144c) and to supply the response to the trusted module via the first 

communication path or via the shared communication infrastructure using encryption set 

up using the first communication path; and 
15 the trusted module is operable to use the response in generating an integrity 

metric of the apparatus. 

9. An apparatus as claimed in any preceding claim, wherein: 

the first further module (106) has a zone (114) for private data and a zone (116) 
for non-private data; and 
20 the first further module is operable to supply and/or receive data from/for the 

private data zone via the first communication path (122c) and not via the shared 
communication infrastructure. 

10. An apparatus as claimed in claim 9, wherein the first further module is operable to 
supply and/or receive data from/for the non-private data zone via the shared 

25 communication infrastructure. 
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11. An apparatus as claimed in claim 9 or 10, wherein the first further module has an 
interface (118) between the private and non-private data zones which is operable to 
inhibit the passing of data from the private data zone to the non-private data zone. 

12. An apparatus as claimed in any preceding claim, wherein the first further module 
5 is a network interface module (106). 

13. An apparatus as claimed in any preceding claim, and including a second 
communication path (122a; 122b), distinct from the communication infrastructure and the 
first communication path (122c), by which a second one (102;104) of the further modules 
can communicate directly with the trusted module but cannot communicate directly with 

10 any other of the further modules. 

14. An apparatus as claimed in claim 13, wherein: 

the first further module (102) is operable to supply to the trusted module a 
request (164) for a transfer of data between the first and second further modules; and 

in response to such a request, the trusted module is operable to generate a 
15 response (1 64) and to supply the response to the first or second further module (1 04) via 
the first or second communication path (122b), as the case may be, and not via the 
shared communication infrastructure. 

15. An apparatus as claimed in claim 14, wherein the trusted module includes means 
(132) for storing policy information regarding such transfers which can and/or cannot be 

20 permitted, and is operable to generate the response with reference to the policy 
information. 

16. An apparatus as claimed in claim 14 or 15, wherein: 

in response to an appropriate such transfer response, the first or second further 
module is operable to supply the data to the trusted module via the first or second 
25 communication path, as the case may be; and 
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in response to the receipt of such data, the trusted module is operable to relay 
the data to the second or first further module, as the case may be, via the second or first 
communication path, as the case may be. 

17. An apparatus as claimed in any of claims 13 or 16, wherein the second further 
5 module is a main processor unit (102) of the apparatus or a non-volatile data storage 

module (104). 

18. An apparatus as claimed in any of claims 13 to 17, and including at least a third 
communication link (122b), distinct from the communication infrastructure and the other 
communication links (122a,122c), by which at least a third one (104) of the further 

10 modules can communicate directly with the trusted module but cannot communicate 
directly with any other (1 02,1 06) of the further modules. 

19. An apparatus as claimed in claim 18, wherein the second further module is a 
main processor unit (102) of the apparatus and the third further module is a non-volatile 
data storage module (104). 



15 20. An apparatus as claimed in any preceding claim, wherein the trusted hardware 
module (120) is adapted to measure an integrity metric of the computing apparatus. 



